Show diff of encrypted files in git

[devinbarry]

Many of the files I manage with chezmoi are encrypted (for example files in ~/.ssh). When I make changes with chezmoi edit, even if I change nothing in the plaintext, I will end up with a completely changed file in git, because the cypher text changes with every edit even if the edit changes nothing. When I use chezmoi cd and do a git diff I obviously cannot tell what has actually changed in these files, if anything. I am just shown two totally different cypher texts. Is there any existing command within chezmoi which allows me to see these changes? I have not found anything.

I wrote a script that allows me to see the changes:

#!/bin/bash

# Function to cleanup temporary files
cleanup() {
    if [ -f "$TEMP_CURRENT" ]; then
        shred -u "$TEMP_CURRENT"
    fi
    if [ -f "$TEMP_HEAD" ]; then
        shred -u "$TEMP_HEAD"
    fi
}

# Set trap to ensure cleanup on exit
trap cleanup EXIT

# Check if a file is provided
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <file>"
    exit 1
fi

FILE="$1"

# Get the absolute path of the file
ABSOLUTE_PATH=$(readlink -f "$FILE")

# Get the path relative to the Git root
RELATIVE_PATH=$(git ls-files --full-name "$ABSOLUTE_PATH")

if [ -z "$RELATIVE_PATH" ]; then
    echo "Error: File is not tracked by Git"
    exit 1
fi

# Create temporary files
TEMP_CURRENT=$(mktemp)
TEMP_HEAD=$(mktemp)

# Decrypt current version of the file
chezmoi decrypt "$ABSOLUTE_PATH" > "$TEMP_CURRENT"

# Get and decrypt the HEAD version of the file
git show "HEAD:$RELATIVE_PATH" | chezmoi decrypt > "$TEMP_HEAD"

# Perform colored diff on decrypted files with custom labels
diff --color=always -u \
    --label="$RELATIVE_PATH (HEAD)" "$TEMP_HEAD" \
    --label="$RELATIVE_PATH (Current)" "$TEMP_CURRENT" | \
    sed '1,3d'  # Remove the first 3 lines (diff command and timestamps)

# Cleanup is handled by the trap

I can call this script with ./unecrypted_diff.sh <file>.age and I get an approximate equivalent to git diff
Does anything in chezmoi do something like this script?

[halostatue]

Not as far as I know. Note that you can clean up temporary file usage through process substitution. This particular case is NOT tested as I don't use encrypted files, but I’ve written many scripts like this before:

#!/usr/bin/env bash

set -euo pipefail

if (($# < 1)); then
  echo "usage: $(basename "$0") file..."
  exit 1
fi

warnings=false

for file in "$@"; do
  absolute="$(readlink -f "$file")"
  relative="$(git ls-files --full-name "$absolute")"

  if [[ -z "$relative" ]]; then
    echo >&2 "Error: file '$file' not tracked by git"
    warnings=true
    continue
  fi

  git diff --no-index <(git show "HEAD:$relative" | chezmoi decrypt) <(chezmoi decrypt "$absolute")
done

"$warnings" && exit 1

If you wanted to use Fish instead, it would be (git show "HEAD:$relative | chezmoi decrypt | psub) and (chezmoi decrypt "$absolute" | psub) in addition to the other changes.

[twpayne]

When I make changes with chezmoi edit, even if I change nothing in the plaintext, I will end up with a completely changed file in git, because the cypher text changes with every edit even if the edit changes nothing.

This is a bug in chezmoi. If there are no changes to the plaintext, then chezmoi should not re-encrypt the plaintext.

When I use chezmoi cd and do a git diff I obviously cannot tell what has actually changed in these files, if anything. I am just shown two totally different cypher texts. Is there any existing command within chezmoi which allows me to see these changes?

Yes, chezmoi diff shows the plaintext diffs between encrypted files.

[twpayne]

This is a bug in chezmoi. If there are no changes to the plaintext, then chezmoi should not re-encrypt the plaintext.

#3888 should fix this.